] France blocks online c-porn, terrorism, racism

[David Farber <dave () farber net>]

________________________________________
From: Steven M. Bellovin [smb () cs columbia edu]
Sent: Tuesday, June 10, 2008 4:44 PM
To: David Farber
Subject: Re: [IP] France blocks online c-porn, terrorism, racism

Ironically, attempts by providers to block access to a class of sites
can backfire.  Richard Clayton showed how to use one ISP's blocker as
an oracle to compile lists of banned sites.  The paper is at
http://www.cl.cam.ac.uk/~rnc1/cleanfeed.pdf; here's the abstract:

        Three main methods of content blocking are used on the In-
        ternet: blocking routes to particular IP addresses, blocking
        specific URLs in a proxy cache or firewall, and providing
        invalid data for DNS lookups. The mechanisms have different
        accuracy/cost trade-offs.  This paper ex- amines a hybrid,
        two-stage system that redirects traffic that might need to
        be blocked to a proxy cache, which then takes the final
        decision. This promises an accurate system at a relatively
        low cost. A British ISP has deployed such a system to
        prevent access to child pornography. However, circumvention
        techniques can now be employed at both system stages to
        reduce effectiveness; there are risks from relying on DNS
        data supplied by the blocked sites; and unhappily, the
        system can be used as an oracle to determine what is being
        blocked.  Experimental results show that it is straightforward
        to use the system to compile a list of illegal websites.



-------------------------------------------
Archives: http://www.listbox.com/member/archive/247/=now
RSS Feed: http://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com